Supplier information
We maintain supplier standards for security, privacy, and compliance. We expect adherence to our code of conduct and prompt reporting of incidents. Our supplier program ensures vendors meet our standards and protect our clients' data and systems.
Supplier expectations
Security controls aligned to zero trust and least privilege: Suppliers must implement security controls aligned to zero trust principles and least privilege access. Identity and access management must use strong authentication and authorization. Networks must be segmented and monitored. Data must be encrypted in transit and at rest. These practices ensure suppliers protect systems and data.
Privacy and data handling consistent with our policies: Suppliers must handle data consistent with our privacy policies and applicable laws. Data minimization, purpose limitation, and retention controls must be applied. Data subject rights must be honored. Privacy by design must be practiced. These practices ensure suppliers protect privacy.
Incident reporting within contracted SLAs: Suppliers must report security incidents, data breaches, and privacy issues promptly within contracted SLAs. Reports must include details, impact assessment, and remediation plans. We investigate incidents and require remediation. These practices ensure incidents are handled quickly and effectively.
Compliance with applicable regulations and audits: Suppliers must comply with applicable regulations and submit to audits. Certifications like SOC 2, ISO 27001, or GDPR compliance are preferred. Audits validate compliance and identify gaps. These practices ensure suppliers meet compliance requirements.
Supplier onboarding
We assess suppliers before engagement through risk assessments covering security, privacy, compliance, and business practices. We prefer suppliers with strong practices and certifications. Contracts include security, privacy, and compliance clauses. These practices ensure suppliers meet our standards before engagement.
Risk assessments cover data handling practices, security controls, breach history, compliance certifications, and business practices. We review policies, procedures, and evidence of controls. We prefer suppliers with certifications and track records. These practices ensure we engage with trustworthy suppliers.
Ongoing monitoring
We monitor suppliers for compliance and incidents. Regular reviews assess practices, certifications, and incidents. We require remediation when gaps are identified. We terminate relationships when suppliers fail to meet standards. These practices ensure suppliers maintain our standards over time.
Sub-processors must meet our standards. We disclose sub-processors and require them to protect data. We monitor sub-processors and require remediation when needed. These practices ensure the entire supply chain meets our standards.
Code of conduct
Suppliers must adhere to our code of conduct covering ethics, labor practices, environmental responsibility, and business practices. We expect suppliers to treat employees fairly, protect the environment, and conduct business ethically. We investigate violations and require remediation. These practices ensure suppliers align with our values.
Contact us
For supplier questions or to become a supplier, please use our contact form. We review supplier inquiries promptly and engage with suppliers that meet our standards.